usnistgov/macos_security
1
0
Fork 0
mirror of https://github.com/usnistgov/macos_security.git synced 2026-02-09 00:09:55 +00:00
Code Issues 21 Actions Packages Projects Releases Wiki Activity

Scutil is referenced without full path #188

New Issue
Closed
opened 2026-01-19 18:29:34 +00:00 by michael · 3 comments
michael commented 2026-01-19 18:29:34 +00:00
Owner
Copy Link

Originally created by @wintererik on GitHub.

Summary

If /usr/sbin is not on the $PATH then running the guidance script in "check" mode will fail for some rules. This is due to that the CURRENT_USER is determined running the scutil command without specifying its full path.

Steps to reproduce

Run the guidance script in "check" mode from a cron job.

Operating System version

Ventura 13.2.1

Intel or Apple Silicon

Apple Silicon

What is the current bug behavior?

system_settings_bluetooth_sharing_disable fails when running the guidance script in "check" mode from a cron job, with the following output.

usage: sudo -h | -K | -k | -V
usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user]
usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command]
usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>]
usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

This is due to that the CURRENT_USER variable is empty when running in a cron job. In the cron jobs then /usr/sbin is not in the $PATH.

What is the expected correct behavior?

No difference in result although running in an environment which does not have /usr/sbin included in the $PATH.
E.g. in our case we tried to run the script scheduled with cron.

Relevant logs and/or screenshots

Output of checks

Possible fixes

The guidance script defines CURRENT_USER here:
3c8162a1fc/scripts/generate_guidance.py (L609)

In the documentation instead the full path is used to reference the scutil command.

CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" \|
 /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' )

Possible fix is to do as in the documentation, i.e. use the full path in the guidance script. I can provide a pull request.

Originally created by @wintererik on GitHub. <!--- Please read this! Before opening a new issue, make sure to search for keywords in the issues filtered by the "regression" or "bug" label and verify the issue you're about to submit isn't a duplicate. ---> ### Summary If /usr/sbin is not on the $PATH then running the guidance script in "check" mode will fail for some rules. This is due to that the CURRENT_USER is determined running the scutil command without specifying its full path. ### Steps to reproduce Run the guidance script in "check" mode from a cron job. ### Operating System version Ventura 13.2.1 ### Intel or Apple Silicon Apple Silicon ### What is the current *bug* behavior? system_settings_bluetooth_sharing_disable fails when running the guidance script in "check" mode from a cron job, with the following output. ``` usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ... ``` This is due to that the CURRENT_USER variable is empty when running in a cron job. In the cron jobs then /usr/sbin is not in the $PATH. ### What is the expected *correct* behavior? No difference in result although running in an environment which does not have /usr/sbin included in the $PATH. E.g. in our case we tried to run the script scheduled with cron. ### Relevant logs and/or screenshots ### Output of checks ### Possible fixes The guidance script defines CURRENT_USER here: https://github.com/usnistgov/macos_security/blob/3c8162a1fcb313fc3b503d1519d29148d13e8005/scripts/generate_guidance.py#L609 In the documentation instead the full path is used to reference the scutil command. ``` CURRENT_USER=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" \| /usr/bin/awk '/Name :/ && ! /loginwindow/ { print $3 }' ) ``` Possible fix is to do as in the documentation, i.e. use the full path in the guidance script. I can provide a pull request.
michael commented 2026-01-19 18:29:35 +00:00
Author
Owner
Copy Link

@wintererik commented on GitHub:

Pull request created #239

@wintererik commented on GitHub: Pull request created #239
michael commented 2026-01-19 18:29:35 +00:00
Author
Owner
Copy Link

@robertgendler commented on GitHub:

Pull request would be awesome. If you do, make it against an OS branch, not main please

We're always trying to make sure we use full path as much as possible, but definitely have missed occasional spots through out the project.

@robertgendler commented on GitHub: Pull request would be awesome. If you do, make it against an OS branch, not main please We're always trying to make sure we use full path as much as possible, but definitely have missed occasional spots through out the project.
michael commented 2026-01-19 18:29:35 +00:00
Author
Owner
Copy Link

@wintererik commented on GitHub:

Ok, perfect. Will get back with a pull request.

@wintererik commented on GitHub: Ok, perfect. Will get back with a pull request.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
michael
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: usnistgov/macos_security#188
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?